Tag: botnets

One of the side effects of Apple Macs becoming more popular is that their token security is getting increasingly tested.

For years, Apple users smugly claimed that there were was no malware for the Mac because of Jobs’ Mob’s superior technology, while saner types suggested that there were too few macs out there for Malware writers to bother with.

There was little point doing all that coding to break into a computer which only had a Coldplay collection and a Safari web browser. That appears to be changing with hackers keener to draft Mac users into botnets on the safe basis that they will never actually believe it has happened to them.

A security researcher has discovered a new vulnerability in Apple Mac computers could be used to remotely inject persistent rootkit malware into users’ computers, providing attackers with full-system level control,

The zero day appears to be due to a bug in Apple’s sleep-mode energy conservation implementation that can leave areas of memory in the extensible firmware interface (EFI) (which provides low-level hardware control and access) writeable from user accounts on the computer.

Putting some late-model Macs to sleep for around 20 seconds and then waking them up unlocks the EFI memory for writing.

Pedro Vilaça, said the vulnerability can be used to remotely plant rootkits or persistent malware that is invisible to the operating system in the writeable flash memory, by using Apple’s Safari browser.

“A remote exploit could simply deliver a payload that will either wait or test if a previous sleep existed and machine is vulnerable, or force a sleep and wait for a wakeup to resume its work,” Vilaça told iTnews.

“After the BIOS protections are unlocked it can simply overwrite the BIOS firmware with something that contains an EFI rootkit and that’s it.”

Some extra steps may be required to achieve superuser privilege escalation to load kernel modules, but that’s not particularly complicated to do, Vilaça said.

Vilaça believes Apple knew of the issue because his testing shows the flaw is not found in the firmware of Macs made after mid-2014. If he is right it means that Apple does not really care about those who do not upgrade their hardware every year.

Online activists Anonymous, have hijacked hundreds of thousands of home and office Internet routers.

Security firm outfit Incapsula said the hackers target routers that have factory-default usernames and passwords, an “inexplicably negligent” mistake by ISPs and users alike.

The hijacked routers, located mostly in the US, Thailand, and Brazil, were infected by various potent malware and used to build a botnet that began attacks against dozens of targets in late December 2014.

Using the Internet bandwidth from the homes and offices of these routers, the owners of these botnets wield a weapon that packs a heavy punch against online targets.

Many of the hijacked machines reported back to AnonOps.com, a gathering point for the Anonymous activist group, “indicating that Anonymous is one of the groups responsible for exploiting these under-protected devices,” the report claims.

The hacking was first discovered by Incapsula last year when dozens of its customers were victims of what researchers describe as a “homogenous botnet” made up of swaths of nearly the same home and office routers.

An investigation revealed that all the hijacked routers suffer from lax security and were remotely accessible via HTTP and SSH on their default ports.

The botnet was self-sustaining. Newly hijacked routers will scan for other vulnerable machines; when a good target is found, an automated script easily conscripts it into the botnet’s ranks.

The malware infecting the machines includes the popular MrBlack trojan to new and as-yet unidentified pieces of malware.

DDoS protection company Prolexic has warned of a spike in the number of Distributed Reflection and Amplification Denial of Service, or DrDoS, attacks, which have notably grown over the last year.

The company points out that common networked devices such as printers, cameras, hubs, sensors and routers are increasingly being taken advantage of and turned into nodes to launch malicious attacks part of wider botnets.

These can be tough to pin down because they often spoof the actual origin of the attack.DrDoS attacks, the whitepaper points out, are made possible because of the original design of RFC – the most widely used protocols were built for functionality over security which can leave them wide open.

In a whitepaper, Prolexic outlines in technical terms how three common network protocols are used to launch the attacks – these are Simple Network Management Protocol, or SNMP, for communicating with IP based devices, Network Time Protocol, or NTP, used to synch time and data information across networks, and Character Generation Protocol, or CHARGEN, for debugging network connections.

Prolexic warns that, over time, as more servers and IP devices are added, DrDoS threats will grow because networks will grow. In the short term it is unlikely that security gaps will be plugged because this would need entirely new protocols, and for the current batch the problems can be found at the core of their architectures.

To lower the threat, Prolexic advises Sysadmins to disable or restrict functionalities in these protocols.

An interesting report fresh out of McAfee claims the US is home to more botnets than Russia and China combined. Botnets are usually associated with third-world countries, with weak regulatory frameworks and plenty of loopholes for money laundering.

A total of 631 botnet control servers are actually hosted in the Land of the Free, which is hardly surprising as the US is still the Mecca for cheap hosting. The British Virgin Islands ranked second, with 237 servers. With a population of just 27,000, the tiny Caribbean nation has the unflattering distinction of hosting more botnet servers per capita than any other place in the world, one per 113 residents. Still, we are talking about the Caribbean, and botnets are apparently the new privateers.

The Netherlands ranked third with 154 servers, trailed by Russia and Germany with 125 and 95 servers respectively. Korea came in sixth place with 81 servers, while the Swiss also got on the list, with 77 botnet servers, as if cuckoo clocks and banks weren’t enough of a nuisance.

Australia ranked eight with 83 antipode botnet servers, while China hosts just 48. With all the bad press China gets for malware, botnets and alleged cyber attacks, this is a pretty low figure, a far cry from the terracotta cyber army some US media outlets would have us fear. Canada hosts 38 botnets and ranks tenth.

Clusters of botnet servers are also visible in other parts of the world, such as the Middle East, Eastern Europe and Southeast Asia. Very few botnet servers are hosted in South America. The only continent with no botnet servers? Antarctica.

The Ministry of Defence (MoD) had a barrage of six hundred thousand automated botnet attacks a day, an ex-employee has told Techeye.

The source, who worked for the organisation three years ago, also said that many of these came from China, telling us that the attacks decreased significantly when addresses from China were blocked. However, these came back when hackers managed to find a way around the block.

We contacted a security expert with inside knowledge of the problem, who agreed with the comments: “While there’s not much I can say about the workings and findings at the MoD, it’s not a secret that the UK on a whole suffers from botnet attacks from other countries,” he told TechEye.

“This is particularly a problem in the Government sector, corporations and other secret services. These can come from as far afield as Australia, but the most common attacks we see are those from the likes of China.

“Cyber attacks and cyber espionage are only going to get worse and as the MoD discovered no amount of blocking will be able to deter these.”

Ironically the comments come as a government report today for the first time highlights that UK cyber crime costs £27 billion a year.

However, the government warns that the costs could be much higher. Business face the brunt of the attacks with the report attributing £21 billion of costs to them, while the government shed £2.2 billion and citizens splurged £3.1 billion.

Security minister Baroness Neville-Jones told delegates at a press briefing this morning in London that the government was determined to work with industry to tackle cyber crime.

At the moment, cyber criminals are “fearless because they do not think they will be caught”, she said, before adding that the Government had a strategy to tackle the problem and had committed £650m over the next four years to it.

However, a the source told Techeye that the Government shouldn’t just throw money at the situation.

“The government needs to ensure it employs people who can do the right in depth research rather than just throwing money at the cyber security budget,” he said.

According to the report, nearly half of the £21bn cost to business was made up of intellectual property theft. This included illegal downloading and file sharing as well as industrial espionage, such as the theft of designs and commercial secrets. The hardest-hit sectors were pharmaceuticals, biotech, electronics, IT and chemicals.

Cameron has announced Whitehall will spend £1 billion on “cyber defence”. A Home Security spokesman in the US has said that it needs to wise up to the cyber threat. We’ve been talking to some cyber security experts, anonymous and with either direct access to, or access to those with direct access to, top level government agencies in both the United States and the UK. Guess what? Defence don’t mean defence.

Meetings have been going on and continue about the possibilities of using cyber attacks as weapons. We’re not just talking Stuxnet, which is believed by many to have come from Israel, China or the US to sabotage Iranian and/or Indian infrastructure, but botnets too. “Defence” agents don’t just want to know how to neutralise a threat, but how to gain access to and control the world’s largest botnets to point at who they need to.

“You would be a fool,” one source suggested to us this week, “to think that governments are not considering the applications for cyber warfare.”

Earlier on in the week someone else close to the matter, who also wished to be anonymous – you’d be mad not to remain anonymous – told us that attacks on hospitals and power grids are “likely”. In fact attacks on hospitals are happening already. All of this must be kept under wraps – if attackers know they’re causing trouble that’s cause for celebration.

As Nick Farrell reported this morning, Michael Chertoff, homeland security secretary in the States, says that a Mutually Aided Destruction model reminiscent of the cold war is the way forward. We hear from trusted sources that a top author and security expert has been invited to the Whitehouse for chats.

It feels as if we’re entering a new era of aggression based not on direct human casualty but striking at the heart of vital financial and health services, wiping data and crippling IT systems which we have come to rely on almost entirely – a long-term attrition game. “Rogue states” such as North Korea are the usual suspects but we imagine the big players in the West, the East, and elsewhere all know what the score is.

Let’s be perfectly clear – we’re aware of how much this sounds like we’ve got our tinfoil hats firmly screwed to our heads. We’re aware that this sounds like science fiction. But there’s something big going on here.

Apparently 3FN advertised its services in the darkest corners of the Internet, including a chat room for spammers.

3FN shielded its criminal clientèle by ignoring take-down requests issued by the online security community, or shifting its criminal elements to other IP addresses.

The outfit deployed and operated botnets as well as recruited bot herders and hosted the Zombie command-and-control servers.

The FTC showed the court transcripts of instant-message logs from the defendants’ senior employees discussing the configuration of botnets with bot herders.

It claimed that more than 4,500 malicious software programs were controlled by command-and-control servers hosted by 3FN. This malware included programs capable of keystroke logging, password stealing, and data theft, programs with hidden backdoor remote control activity, and programs involved in spam distribution, the FTC said.

In June 2009, when a court issued a preliminary injunction against 3FN, spam volumes dropped by about 15 percent.

Insecurity experts at Trusteer have warned that the Zeus botnet which has been crafted to nick online banking details is back and kicking.

Trusteer says the Trojan virus is in one of every 3,000 of the 5.5 million computers it monitors in the US and UK.

The latest version, Zeus 1.6, can infect people using Firefox and Internet Exploder web browsers. It steals login information by recording keystrokes when the infected user is on a list of target websites. The data is then sent to a remote server to be used and sold on by cyber-criminals.

Anti-virus outfits had been good at shutting down the Zeus servers. In March 2010, many parts of the command and control system for the Zeus botnet were destroyed when the Kazakhstani ISP that was being used to administer it was cut off.

But to mix the mythological metaphors, Zeus is pretty much a Hydra and killing it is a Herculean task.

Amit Klein, chief technology officer at Trusteer expects the new version of Zeus to significantly increase fraud losses, since nearly a third of internet users bank online with Firefox and the infection is growing faster than seen before.

A judge grantedMicrosoft’s request to kill 277 internet addresses associated with a so-called botnet installed on thousands of PCs worldwide.

A botnet consists of a legion of infected PCs that can be used by criminal minds to launch denial of service attacks on other sites.

The judge, Leonie Brinkema, granted the order to block the Waledac botnet on Monday, and gave Microsoft permission to cut suspect IP addresses and requires Verisign to close down .com sites alleged to house the botnet.

According to the Wall Street Journal (subscription required), all the domain names are based in China.